Author
Topic: What is MalPE?? (Read 8894 times)

Hello, I've been noticing something weird over the few days... I do regular scans with RogueKiller and once a week it finds some MalPE (usually the MalPE.29) on some registry keys that are related to steam. Been carefull with both brownsing and such but it's been buggying me a lot... what are these MalPEs that pop up from nowhere and how harmfull are they? And if so, what to do to get rid of them in a more permanent way?

MalPE is a new heuristic engine that detects anomalies in PE files.In our tests, MalPE appeared to be detecting 90% of malware files, while having false positive on 2% on them. We are still working on reducing those false positives massively so these feature is still in Beta.

For the time being, I advise you to disable the use of the MalPE engine in the Settings tab.

Thank you for your reply. Well 90% is good for me so I'll keep it on, since the weird issue was it only detected on registry keys of games I haven't touched in a while and it had something to do with firewall permissions. Also, 3 days ago it didn't detect anything and today it detected that so I was worried I might have been, somehow, infected.

You are very welcome.If you want to help us, please make an archive with all the file detected by MalPE and attach it with your next reply. Manual analysis of the files will help us improve the engine.

Hello, I have a couple of those detections on quarantine and also have the logs. Should I upload the logs through roguekiller? If so what helper should I choose?

Also, just another question (in order to not open a new thread and I'm not sure if its related to this issue or not) since the update to 13.1.6.0 roguekiller has been detecting 2 pum.homepage: one is homepage and the other is session.startup_url. On both, the data entry is the google website (so i'm guessing this pum.homepage is changing my homepage from google to google?) and I even reseted chrome to defaults without the sync on and then forced the sync with the "clean" version but this keeps poping back up. And the weirdest part, on the scan I did before the update it came clean and right after that scan I noticed there was an update for roguekiller, updated it and this keeps showing up dailly. Any ideas?

Well, if you dont mind can you give me a step by step on how to get them? I only have the options to either restore or delete them on roguekiller so I don't know how to get them from the quarantine.

edit: just found them inside the roguekiller folder... do you need the .meta ones as well?

edit 2: the files in question have the same info as the log, just out of curiosity, how will these files actually help with the roguekiller detections and such? Just trying to expand my knowledge base and understand a little bit more about the information that can be gathered by studying and analysing these type of files.

You need to restore them, then zip them from the Explorer, not RogueKiller.MalPE uses PE (Portable Excecutable) characteristics to define a file as malicious. By manually analysing them, we will be able to determine what triggered the false detection and improve the detection engine.